Story image

GCSB report: NZ firms lack CISOs, human investment

01 Nov 2018

More than 80% of New Zealand’s nationally significant organisations don’t have a dedicated chief information security officer (CISO), with many opting to either include responsibilities in a broader role or simply go without a CISO altogether.

The Government Communication Security Bureau (GCSB) and National Cybersecurity Centre (NCSC) published the country’s first benchmark of how 250 of NZ’s nationally significant organisations stack up when it comes to cybersecurity.

Of those surveyed, 63% have a cybersecurity incident response plan, but 33% of those had not tested that plan in the last year.

Despite the lack of a CISO to guide the way, 73% of organisations increased their cybersecurity spending in the last year. 

Seventy percent of organisations had increased spending on new security tools, while 45% had increased spend on more IT security staff. Fifty-four percent increased spending on IT staff training.

While tools and vulnerability assessments are a central focus for spending, the benchmark says that these are coming with an even higher price – the cost of investment in people. 

Fifty-two percent of organisations said they do not have enough skilled staff to meet their security requirements. 

What’s more, cybersecurity spending isn’t necessarily resulting in more cyber-confident organisations. 41% of organisations are mildly confident or not confident in their ability to detect an intrusion.

Managed security service providers should also take note: Of the organisations who use MSP services, 36% say they have no mechanism to confirm whether their provider is delivering on the agreed level of security.

“Overall it appears that digital transformation is outpacing investment in cybersecurity and as a result we found a range of resilience levels,” says GCSB director—general Andrew Hampton.

“While most organisations are heading in the right direction, more work needs to be done to improve cyber resilience across the board.”

The benchmark report adds that there are four areas of good practice that can help organisations focus their efforts for the greatest effect.

They include: •    Governance – Promoting cybersecurity at a senior leadership level to protect an organisation’s most important digital assets.  •    Investment – Investing in cybersecurity to minimise risk and maximise returns.  •    Readiness – Preparing the organisation to detect, respond, and recover from a cybersecurity incident.  •    Supply Chain – Maintaining oversight and awareness of the cybersecurity risks in an organisation’s supply chain.

Each of the 250 organisations received its own individualised and commercially-sensitive report as part of the findings. The reports cover actions that the organisations can take to increase their cyber resilience.

Those actions include: •    Establishing clear accountability for cybersecurity; •    Regular reporting on cybersecurity, including near misses, to executives and directors; •    Balancing strategic investment in assets and staff over vulnerability assessment; •    Identification of critical information assets and risks to those assets; •    Having a dedicated budget line for IT security; •    Preparing and regularly testing a cybersecurity incident response plan, and •    Ensuring third party vendors include specific cybersecurity service level agreements and the right to be audited on cybersecurity performance.

“Cybersecurity is a team sport and we all have to do our bit. In this interconnected world we are all just one click away from a potential threat,” Hampton concludes.

The GCSB and the NCSC are committed to working with less mature organisations to raise overall cybersecurity resilience.

Kiwis know security is important, but they're not doing much about it
Only 49% of respondents use antivirus software and even fewer – just 19% -  change their passwords regularly.
Avi Networks: Using visibility to build trust
Visibility, also referred to as observability, is a core tenet of modern application architectures for basic operation, not just for security.
Privacy: The real cost of “free” mobile apps
Sales of location targeted advertising, based on location data provided by apps, is set to reach $30 billion by 2020.
Myth-busting assumptions about identity governance - SailPoint
The identity governance space has evolved and matured over the past 10 years, changing with the world around it.
Forrester names Crowdstrike leader in incident response
The report provides an in-depth evaluation of the top 15 IR service providers across 11 criteria.
Slack doubles down on enterprise key management
EKM adds an extra layer of protection so customers can share conversations, files, and data while still meeting their own risk mitigation requirements.
Security professionals want to return fire – Venafi
Seventy-two percent of professionals surveyed believe nation-states have the right to ‘hack back’ cybercriminals.
Alcatraz AI to replace corporate badges with AI security
The Palo Alto-based startup supposedly leverages facial recognition, 3D sensing, and machine learning to enable secure access control.